There are some zero-day vulnerabilities in Java that are already being exploited. However, these aren't new bugs: Oracle (NASDAQ:ORCL) has known about them since early April, and doesn't plan to fix them until October.
In IT Blogwatch, bloggers wonder why it takes six months to fix critical security holes.
By Richi Jennings: Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: TBA...
Six months? Lucian Constantin explains:
Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations...reported 19 Java 7 security issues to Oracle on Apr. 2 [including] the two...unpatched vulnerabilities that attackers are exploiting to infect computers with malware. ... The company continued...until the total number reached 29.
According to a status report received on Aug. 23, [Oracle] was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU). ..."we don't know why Oracle left so many serious bugs for the Oct. CPU," Gowdiak said. MORE
Neil McAllister rubs it in:
The critical Java vulnerabilities that have security experts cautioning users to disable Java...Oracle has known about them for months. ... Oracle very likely could have made patches available...months ago. Instead, it stuck to its roadmap. As a result, the vulnerabilities remain unpatched [and] the exploit has been incorporated into some of the more popular hacking...tools, meaning even the most inept script kiddies [could] execute arbitrary code or install malware on affected systems.
Java's slow-but-steady patch schedule...might be necessary for IT departments in charge of critical Java applications and middleware...[but] a user whose browser is directed to a malicious website is...wide open to attack. MORE
And Chester Wisniewski recounts the incredible and recommends the inevitable:
It took less than 12 hours...for exploits...to be included in a commercial crimeware kit.
Some have asked if Mac users are at risk. ...if you installed the official Oracle version, you could be at risk.
We recommend disabling Java or downgrading to Java 6.
Why critical...vulnerabilities were not fixed in Oracle's June patch is unknown. MORE
A tense Will Oremus agrees:
The loophole appears to affect Java Version 7 (also known as 1.7) on all browsers. ... Given the potential seriousness and pervasiveness of the attacks—and Oracle's reputation for being slow on the draw...users should probably just disable Java entirely. Like, right now. ... Java is not as popular...as it once was, and the average browser will rarely run across it.
Meanwhile, Brian Krebs does the math, then points the finger:
How many systems are vulnerable? ...more than a billion devices.
[There's a] growing body of evidence suggesting [the] exploit was first wielded in targeted espionage attacks of the sort used to extract corporate and government secrets...[that] the initial attacks were paired with Chinese crimeware known as the Gondad Exploit Kit [and that it's] connected with other targeted espionage attacks traced back to Chinese threat actor groups. MORE